Dear Alexander, thank you for your assistance this is greatly appreciated.
Regarding the logs - the got quite big, not sure if I can attach them here as a .tgz as I have 972k uncompressed. But on the client I got an error message that might explain he problem better (I have obfuscated the domain but not IP addresses): smb_gss_krb5_import_cred ccache[KCM:1624200005] failed with [Unspecified GSS failure. Minor code may provide more information: No credentials cache found] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT kinit for the domain user with the credential file worked fine, as the attempt logged below was done with my user I also retried the same kinit/smbclient call as root with the same result. Thank you, best regards Thomas —— log for smbclient — $ KRB5_TRACE=/dev/stderr smbclient -d10 -L ums025.example.com -U [email protected] --use-kerberos=required --use-krb5-ccache=./file.ccache Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 … dsdb_group_audit: 10 dsdb_group_json_audit: 10 Processing section "[global]" doing parameter workgroup = SAMBA doing parameter security = user doing parameter passdb backend = tdbsam doing parameter printing = cups doing parameter printcap name = cups doing parameter load printers = yes doing parameter cups options = raw doing parameter include = /etc/samba/usershares.conf Can't find include file /etc/samba/usershares.conf pm_process() returned Yes lp_servicenumber: couldn't find homes added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 netmask=255.255.255.0 added interface ens192 ip=10.130.103.38 bcast=10.130.103.255 netmask=255.255.255.0 Client started (version 4.18.6). Opening cache file at /var/lib/samba/lock/gencache.tdb tdb(/var/lib/samba/lock/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/lock/gencache.tdb: Permission denied gencache_init: Opening user cache file /home/tha/.cache/samba/gencache.tdb. sitename_fetch: No stored sitename for realm '' internal_resolve_name: looking up ums025.example.com#20 (sitename (null)) gencache_set_data_blob: Adding cache entry with key=[NBT/UMS025.EXAMPLE.COM#20] and timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1709223544 seconds in the past) namecache_fetch: no entry for ums025.example.com#20 found. resolve_hosts: Attempting host lookup for name ums025.example.com<0x20> remove_duplicate_addrs2: looking for duplicate address/port pairs namecache_store: storing 1 address for ums025.example.com#20: 10.130.103.25 gencache_set_data_blob: Adding cache entry with key=[NBT/UMS025.EXAMPLE.COM#20] and timeout=[Thu Feb 29 05:30:04 PM 2024 CET] (660 seconds ahead) internal_resolve_name: returning 1 addresses: 10.130.103.25 Connecting to 10.130.103.25 at port 445 socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=367360, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0 session request ok negotiated dialect[SMB3_11] against server[ums025.example.com] cli_session_setup_spnego_send: Connect to ums025.example.com as [email protected] using SPNEGO GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'ncalrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 smb_gss_krb5_import_cred ccache[KCM:1624200005] failed with [Unspecified GSS failure. Minor code may provide more information: No credentials cache found] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT gensec_update_send: spnego[0x55f8e36a9910]: subreq: 0x55f8e36e5de0 gensec_update_done: spnego[0x55f8e36a9910]: NT_STATUS_INVALID_PARAMETER tevent_req[0x55f8e36e5de0/../../auth/gensec/spnego.c:1632]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct gensec_spnego_update_state (0x55f8e36e5fa0)] timer[(nil)] finish[../../auth/gensec/spnego.c:1947] SPNEGO login failed: An invalid parameter was passed to a service or function. session setup failed: NT_STATUS_INVALID_PARAMETER -----Original Message----- From: Alexander Bokovoy <[email protected]> Reply: Alexander Bokovoy <[email protected]> Date: 29. February 2024 at 14:11:30 To: FreeIPA users list <[email protected]> Cc: Thomas Handler <[email protected]> Subject: Re: [Freeipa-users] problem allowing Windows Active Directory users to access SMB shares on IPA client machine (IPA has trust with AD) > On Срд, 28 лют 2024, Thomas Handler via FreeIPA-users wrote: > > > >Hi all, > > > >I am facing a problem I got stuck upon. > > > > > >We have the following setup: > > > > +-----------+ > > | | > > | AD | > > | | > > +-----------+ > >+--------------+ ^ > >| +----------+ > >| ums012 | > >| | > >| IPA | > >+--------------+ > > ^ > > | +--------------+ > > | | | > > | | ums029 | > > | | | > > | | smbclient | > > | +---+----------+ > >+------+--------+ | > >| | | > >| ums025 | | > >| |<------------------+ > >| samba | > >+---------------+ > > > >IPA has a trust established with AD which is working fine. Active Directory > >users can > logon on Linux machines which are connected to IPA, `id some-ad-user` > properly shows > the AD groups. > > > >ums012 and ums025 are running RHEL 9.3, ums029 is running RHEL 8.9. > > > >ums029 is used as a test client via smbclient. > > > > > >ums025 was setup following the instructions in > >https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identity_management/setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm > > > > > >Setup worked fine, all steps went ok. > > > >But when i switch over to ums029 and try to verify with an ad user I get > > > > > >kinit > >smbclient -L ums025.idm.example.com -U --use-kerberos=required > >Password for [@EXAMPLE.COM]: > >gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT > for cifs/ums025.idm.example.com failed (next[(null)]): > NT_STATUS_INVALID_PARAMETER > >session setup failed: NT_STATUS_INVALID_PARAMETER > > Can you get more details? > > It would help to collect debug logs from the samba server as well as the > client at the same time, with 'log level = 10' in smb.conf. > > Use something like the following on the client: > > kinit -c ./file.ccache > KRB5_TRACE=/dev/stderr smbclient -d10 -L ... -U --use-kerberos=required > --use-krb5-ccache=./file.ccache > > This will collect information from the client side. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
